When it comes to smart cybersecurity for small and mid-size businesses (SMBs), reducing the attack surface is critical. In fact, ensuring the attack surface is as small as possible is a basic security measure.
Understanding and managing your attack surface — the number of possible ways an attacker can get into a device or network and extract data — will help reduce exposure to cyber risk.
While many SMBs may think they are too small to be a cybercrime target, a quick look at their attack surface often reveals that there are potential access points in their IT network or other vulnerabilities that can be leveraged to stage a cyber attack or data breach.
The reality is that small businesses continue to face the high probability of cyber attack. Recent data shows 43% of cyberattacks are aimed at small businesses, yet only 14% are prepared to defend themselves. And more often than not, SMBs suffer significant financial impact from an attack. One report estimates that the cost of data breach remediation for companies with less than 500 employees averaged about $2.5 million and this has continued to increase year-over-year. In certain regulated industries, businesses still experience these financial consequences in the second and third year after an attack.
Gaining a better understanding of your IT environment and the elements in your attack surface that represent risk are good steps toward a proactive defense.
What are the primary attack surfaces?
Devices and people are two primary attack surfaces.
Devices
Businesses today are connecting to the Internet using more and more devices. This creates more gateways for cybercriminals to carry out cyberattacks.
Along with an exploding volume of data generated using these devices, new data also estimates that there will be close to 50 billion connected Internet of Things (IoT) devices used worldwide by 2030.
Now, factor in cyber threats and potential vulnerabilities in operating systems and software, and you can better understand how devices represent a potential risk and can profoundly increase the attack surface.
Ransomware and hybrid ransomware attacks are significant threats to devices. A ransomware attack on its own is bad enough as it allows hackers to take control of a device, and then demand a ransom before the user can regain control. But today, ransomware is also spread in hybrid form. By combining ransomware with the capabilities of a virus, it can not only infect one device but easily spread throughout the entire network.
Data predicts that ransomware attacks will target businesses every 11 seconds in 2021. In the latest Verizon Data Breach Investigations Report (DBIR), 27% of malware incidents are contributed to ransomware. Other research indicates that 85% of managed service providers reported ransomware attacks against SMBs over the last two years, with 56% seeing attacks in the first six months of 2019.
People
Sophisticated cyberattacks primarily target employees because they are often the weakest link in the digital security chain. In the Verizon DBIR 2020 report, human error accounts for 22% of breaches. According to Gartner, 95% of cloud breaches occur due to human errors such as configuration mistakes, and this is expected to continue.
Adding more risk, password policies and other safeguards designed to protect people, such as multi-factor authentication (MFA), are not standard practice within most SMB organizations. And worse, recent research shows that password behaviors continue to be an issue — 91% of people know that using the same password on multiple accounts is a security risk, yet 66% continue to use the same password anyway.
Attackers also use social engineering techniques to gain access to networks through employees. Social engineering tricks people into handing over confidential company information. The hacker often contacts employees via email, pretending to be a credible organization or even a colleague. Most employees do not have the knowledge to defend themselves against these advanced social engineering attacks.
Research reveals that 70-90% of malicious data breaches are attributed to social engineering of some type.
What are the best practices to reduce your attack surface?
To reduce the attack surface, SMBs should regularly assess vulnerabilities, secure weak points, and monitor anomalies.
How do you assess vulnerabilities?
The first step in assessing potential vulnerabilities is identifying all the physical and virtual computing devices within a business or organization. That list should include all of these possible attack surfaces:
- Workstations and laptops
- Network file servers
- Network application servers
- Corporate firewalls and switches
- Multi-function printers
- Mobile devices
This infrastructure assessment should distinguish between cloud and on-premise systems and devices and makes it easier to determine all possible storage locations for data.
Now, let’s look at where data is accessed and stored. Categorize all business data and divide it into three locations: cloud, on-premise systems, and devices.
For example:
Cloud
- Cloud email and applications
- Cloud storage
- Websites and social media
On-premise systems
- Databases
- File sharing and storage
- Intellectual property
Devices
- Presentations
- Company memos
- Statistics and reports
Next, look at who has access and what kind of access they have. This third and final attack surface assessment is used to gain insight into the behaviors of each department or user within an organization, even if these users are unknown. These findings can be divided into the same three categories and should include the following aspects:
- Specific-user access
- Multi-user access
- Unknown-user access
How do you secure weak points and monitor anomalies?
After conducting the assessment, the next step is determining the security measures for your specific attack surface. Using the right combination of security measures will ensure weak points are secured as well as provide you better visibility over the security of your network.
Below is an overview of the key security services a typical SMB requires.
Data |
Devices |
People |
Content filtering Content filtering allows you to regulate which websites are safe for employees to visit and which are not.
|
AntivirusInstalling and monitoring antivirus on all devices – from PCs to mobile phones – is critical to reducing an attack surface.
|
Secure authentication There are many ways to achieve this but defining password policies and using Single sign-on (SSO) and MFA are good first steps for an SMB.
|
Email encryption With end-to-end encryption, only the sender and receiver with a decryption key can view the contents of the email and any attachments.
|
Patch managementVulnerabilities are common in operating systems and software, but they can be resolved by installing software patches and keeping the software up to date.
|
Secure remote workingAs businesses have experienced firsthand with COVID-19 work-from-home mandates, remote workers need a virtual private network (VPN) connection to their company network that encrypts all traffic to provide secure access to company data and applications.
|
Data loss prevention (DLP) A DLP solution prevents end users from sharing sensitive data outside the company network by regulating what data they can transfer.
|
Regular vulnerability scans Vulnerability scans should be done regularly and show the status of antivirus software, password policies, and software updates.
|
Define processes and policies Define what data needs protecting and how. Make this information available so everyone understands their role in keeping the business safe.
|
Cloud backupEven though you have taken every precaution, it is important to have a solid business disaster recovery (BDR) solution in place that can restore operations quickly, at the push of a button.
|
Web server hardening Web servers usually sit at the edge of the network making them more vulnerable to attacks. Proper hardening ensures default configurations are changed and that certain services and displays are disabled.
|
Provide security trainingPeople cannot defend themselves against threats they are unaware of. It is crucial to educate employees on ways to protect themselves, for example by creating strong passwords and recognizing phishing scams.
|
How do you understand your attack surface and the cyber risks?
SMBs face a threat landscape that is ever evolving. The challenges are magnified when you consider human error risks in the workplace and the need for security awareness education. With knowledge of the key security measures needed, and through approaches like proactive managed security, businesses and organizations can better understand their attack surface and the risks and put strong, cost-effective cybersecurity protection in place to reduce their attack surface and exposure to risk.